Skip to content

From likes to leaks: The hidden cybersecurity risks of social media in business

Summary: Social media boosts business—but it’s also a cyber target. Learn simple best practices to protect your accounts, brand, and followers from common threats.

Social media is all about building brand awareness, engaging with customers, and driving sales. Now, companies of all sizes rely on social media platforms to stay competitive. A well-timed tweet, a viral video, or a clever Instagram reel can do wonders for visibility and connection—but there’s another side to the story that isn’t so glamorous.

Behind the likes, shares, and view count lies a growing web of cyber threats that target businesses through their social media accounts. From phishing attacks disguised as innocent friend requests to fake accounts impersonating your brand, social media users are constantly navigating a minefield of risks. For companies, the stakes are high—one careless click on a malicious link or a weak password could lead to a full-blown data breach.

That’s why social media security isn’t just a buzzword—it’s essential for business. The good news? With the right practices in place, you can enjoy the benefits of social media without the cyber stress. But first, let’s take a closer look at the specific risks your business faces when going social.

Understanding the risks associated with social media in business

Social media might feel like the digital water cooler of the internet—quick chats, shared memes, and the occasional humble brag—but for businesses, it’s more like a wide-open door. And if you’re not paying attention to who’s walking through that door, things can go sideways fast.

 

Data breaches

Let’s start with the big one. A simple social media post that seems harmless—say, a photo of your team in the office—can accidentally reveal confidential information lurking in the background. Maybe a whiteboard with project details or a computer screen left a little too visible. It doesn’t take much for a crafty cybercriminal to piece together sensitive data that was never meant to be public. And once it’s out there, you can’t take it back.

Phishing attacks

Phishing attacks on social media platforms aren’t limited to DMs from fake friends. It now includes threats aimed directly at company page managers. Attackers may impersonate contractors, sending bogus invoices via page messages or spoofing Meta Ads Support with urgent requests to verify your business account credentials. These phishing tricks often mimic real platforms like Meta Business Manager, preying on urgency and familiarity to trick account admins into handing over access.

One careless click on a malicious link, and suddenly your social media accounts or even your entire network is compromised. These scams feed on trust and urgency, two things social media thrives on, too.

By the end of 2023, social media became the number one target for phishing attacks. A whopping 42.8% of all phishing incidents in the last months of 2024 hit platforms like Facebook, Instagram, and LinkedIn. That’s a huge jump from the previous quarter, proof that account theft scams are spreading fast.

Social media account hijacking

Account hijacking goes beyond mere impersonation. It occurs when an attacker gains full control of your social media account, often compromising your brand at scale. In a 2022 report, the Identity Theft Resource Center revealed a staggering 1,000% increase in social media account hijackings.

The report also found that 85% of Instagram and 25% of Facebook users experienced full account takeovers, with 70% permanently locked out. These breaches can devastate your presence: accounts may be repurposed to post malicious or misleading content, siphon ad budgets, or promote scams under your name.

To prevent this, enforce strong password hygiene, mandate multi‑factor authentication for all account admins, and audit any connected third‑party tools or post-scheduling apps—ensuring no single point of failure can compromise your brand.

Malware distribution

There are two primary scenarios to consider when it comes to social media security risks. Attackers can hide malicious URLs in comments, ad replies, or direct messages, using your brand’s reputation to trick users. At the same time, employees browsing social media may click on dangerous links in unrelated ads or promotions, risking their devices and potentially your network, especially in BYOD environments. So this isn’t just a brand-sourced issue or an employee hygiene issue—it’s both.

In 2024, infostealer malware played a major role in credential theft, accounting for more than 2.1 billion stolen credentials, over 60% of the 3.2 billion compromised that year. These tools are built to extract sensitive data directly from infected systems.

Public Wi-Fi hotspots

It’s tempting to check your brand’s Instagram or respond to customer messages while sipping a latte at the café, but public Wi-Fi risks are real. These networks are playgrounds for attackers looking to intercept logins to your online accounts, steal passwords, or sneak into your systems unnoticed.

All these threats can feel a bit overwhelming—but they’re not unbeatable. The key? Taking social media security seriously.

 

Why social media security is crucial for businesses

Let’s be honest—social media isn’t just a marketing channel anymore. It’s the digital face of your business. It’s where customers ask questions, leave glowing reviews (or not-so-glowing ones), slide into your DMs, and decide whether they trust you enough to click buy now. So when something goes wrong on your social channels, it doesn’t just stay online—it can ripple through your whole business, affecting:

Brand reputation

Imagine this—your official-looking social media accounts start posting weird links at 3 AM or messaging followers with shady giveaways. One hacked account or impersonation incident, and suddenly your customers are wondering if it’s you or just another bogus account with a profile pic and a dream. Social media threats like these can leave long-lasting dents in your reputation, and rebuilding that trust isn’t exactly a weekend project.

Customer trust

People want to feel safe when they interact with your brand—whether they’re commenting on a post, sending a message, or logging in to an account linked to your e-commerce site. If a data breach leaks customer info or they fall victim to phishing attacks via your compromised platform, they’re not just frustrated—they’re gone. No one wants to be the reason a loyal customer ends up a victim of identity theft.

Compliance and regulations

Depending on where you operate (and what kind of data you collect), there are likely regulations you need to follow—HIPAA, GDPR, CCPA, etc. Ignoring social media security can land you in legal trouble, especially if sensitive data is exposed or mishandled.

For instance, in 2019, Facebook faced a $5 billion fine from the US FTC over privacy violations tied to app data misuse and platform weaknesses, making it one of the largest penalties of its kind. It turns out that “we didn’t know” isn’t a great defense when regulators come knocking.

Potential costs

A single social media-related cyber attack can cost a business thousands or more. And by more, we mean that in 2024, the global average cost of a data breach for businesses was $4.9 million.

Being in tech, it’s even riskier—neglecting cybersecurity in software development can create vulnerabilities not only in your code but in your public-facing channels, too. We’re talking lost revenue, emergency IT support, legal fees, reputation cleanup, and even potential fines. It’s not just about protecting passwords—it’s about protecting your bottom line.

The truth is, your business can’t afford to treat social media like a casual side hustle. From malicious links to bogus accounts and social engineering schemes, the risks are real—but they can be managed with the right measures.

Best practices for enhancing social media cybersecurity

Best practices for enhancing social media cybersecurity

We’ve talked about the why. Now, let’s get into the how. Social media threats aren’t going anywhere, but with the right cybersecurity strategy, you can build a solid defense that keeps your brand safe and your followers happy. Here’s where to start:

1. Use a VPN

Public Wi-Fi might be convenient, but it’s also where a lot of bad things happen (digitally, at least). If your team is logging in to dashboards, reviewing social media posts, or chatting with clients from airports, cafés, or coworking spaces, a VPN is your first line of defense.

It encrypts your internet connection, making it way harder for anyone to snoop, intercept, or hijack your activity. For businesses with remote teams, traveling marketers, or agencies managing multiple brands, using a Business VPN is one of those no-brainer moves. It’s easy, invisible, and it works.

2. Keep mobile devices secure

Let’s be real—most of us manage our brand’s socials from our phones. While that’s super convenient, it also opens the door to more cyber threats, especially if those mobile devices aren’t secured.

Introduce a clear Bring Your Own Device (BYOD) policy to secure any personal devices used for work. Require screen locks, automatic updates, and other baseline protections to minimize risk.

If employees access company social media accounts from their own phones or tablets, ensure those devices meet your security standards. And never allow logins to social media accounts on shared or public devices.

3. Train your team to spot social engineering attacks

Social engineering remains one of the most effective ways to compromise business systems—and social media accounts are prime targets. A well-crafted DM posing as a colleague or a fake customer request can be all it takes. If your team manages customer service or marketing via social channels, they need clear protocols to recognize and respond to these threats in real time.

A little awareness training can go a long way. Teach your team not to share sensitive information over social DMs, not to click on unexpected links, and to always verify requests—especially the ones that sound just a little off. Then, back that training up with the right tools.

NordLayer’s Web Protection automatically blocks access to harmful or suspicious websites—cutting off malware, phishing attempts, and shady ads before they even load. For an extra line of defense, advanced malware protection scans every new downloaded file in real life. If a threat is detected, it’s instantly removed—keeping devices clean without interrupting your team’s workflow.

4. Lock down your logins with multi-factor authentication

We get it—passwords are annoying, and no one wants to memorize a 16-character string with symbols and numbers. But when it comes to social media security, strong passwords aren’t optional. And if you’re not using additional authentication steps yet, now’s the time.

Start with two-factor authentication (2FA)—it adds a second step, like a code sent to your phone or a biometric check, making it way harder for someone to break into your social media accounts, even if your password gets leaked.

For more advanced protection, go beyond 2FA with multi-factor authentication (MFA), which can combine several forms of verification. NordLayer implements MFA measures such as 2FA and Single Sign-On (SSO) to help ensure that only authorized users—not just devices—can access your network and tools.

And here’s where things often go sideways: passwords shouldn’t be shared between team members, and they definitely shouldn’t stay the same forever. Set a routine for updating them.

You can make your social media security smoother (and honestly, a lot less painful) with a business password manager—it keeps everything organized, encrypted, and far away from sticky notes or spreadsheets.

5. Apply access controls to posting

The more people have access to your accounts, the more chances there are for mistakes—or worse. Implement access controls by sticking to a “need-to-post” policy. If someone doesn’t need access to your social media platforms, don’t give it to them.

And even for those who do, set clear boundaries about what can (and can’t) be shared. Accidental leaks of sensitive information can happen with just one hasty screenshot or a poorly thought-out caption. A short approval workflow or social media security playbook can help enforce Role- Based Access Controls (RBAC) and reduce human error.

6. Monitor, update, and don’t ignore weird stuff

A successful e-commerce cybersecurity plan includes regular check-ins—and the same goes for your social media accounts. Review who has access, check for suspicious logins, and monitor for signs of social media threats like spammy DMs, bogus accounts impersonating your brand, or followers reporting strange behavior.

If something seems off, take it seriously. Social media cyber attacks don’t usually come with flashing red warning signs—they often start with a small, weird glitch. Don’t ignore it.

With NordLayer, you can implement Network Access Control (NAC) to limit access only to trusted users and compliant devices. Its Device Posture Security (DPS) feature ensures that only devices meeting your organization’s security standards can connect to your network—reducing risk from outdated, misconfigured, or potentially compromised endpoints.

Combined with network visibility tools, this gives you better insight into who’s connecting, from where, and how—so you can catch potential threats before they snowball.

Securing the social side of business with NordLayer

Managing your business on social media platforms is a full-time hustle—and keeping those platforms safe shouldn’t be another headache. That’s where NordLayer steps in. It seamlessly integrates with your existing security stack, whether you’re a growing startup or an established brand. NordLayer extends policy-based access controls and network-level protections to social media workflows without adding friction for your team.

NordLayer acts as a strong security layer between your business and potential cyber threats. With a Business VPN to secure internet traffic, Web Protection to block harmful sites, and Download Protection for advanced malware detection and removal, your team can click, post, and engage with confidence—even when working from untrusted networks or on the move.

NAC ensures that only authorized users and compliant devices can access your network, while DPS helps block access from endpoints that don’t meet your set security standards. For broader visibility and segmentation, features like Cloud Firewall support your network security strategy and help limit the reach of potential threats.

Remote or hybrid team? No problem. NordLayer supports secure access across devices and locations—so your social media team can stay protected whether they’re posting from HQ or a café halfway across the world.

Whether you’re running a tech company with active developer environments and a focus on cybersecurity in software development, or an online store that lives and breathes digital engagement, NordLayer extends your protection to where your customers are—social media included.

Ready to see how it fits into your team’s workflow? Contact our sales team today to get started!

 

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

What is a site-to-site VPN, and why might your business need one?

Summary: A site-to-site VPN uses encrypted tunnels to link two or more networks over the public internet, letting every location behave as part of one private network.

Modern companies rarely live in one building. They run branch offices, cloud workloads, and even pop-up sites at events. All those locations share data every minute. If that traffic travels over a public network without protection, attackers can read, alter, or hijack it. A site-to-site VPN delivers a secure connection between entire networks by wrapping every bit in strong encryption.

Site-to-site VPN definition

A site-to-site VPN is a VPN connection that links two or more networks across the public internet using an encrypted tunnel. It relies on Internet Protocol Security (IPsec) or a similar protocol suite to authenticate VPN endpoints, encrypt data, and maintain integrity.

Because the tunnel joins entire networks, people sometimes call it a “network-to-network” or “router-to-router” VPN. The most common deployment connects an on-premises LAN to a branch office network or a cloud VPC.

In short, a site VPN lets multiple sites communicate as one private network even though the traffic crosses a public network. Unlike a remote access VPN, which secures one device at a time, a site-to-site setup secures whole networks through their gateways. It also differs from clientless SSL portals that proxy web traffic, because it preserves all IP-level protocols and allows any application to communicate across sites.

When does it make sense to use a site-to-site VPN?

Site-to-site VPNs work best when an organization needs persistent, transparent connectivity between locations. They balance security, cost, and manageability better than leased lines or ad-hoc user VPNs. Consider this architecture in the following scenarios:

  1. Multiple physical locations: If you operate multiple offices, warehouses, or data centers, you need secure communication between them. A site-to-site design keeps resource sharing fast and private.
  2. Branch office network connectivity: Retail chains, medical clinics, and schools often maintain hundreds of small sites. Each branch office requires safe, predictable access to corporate applications hosted at headquarters or in the cloud.
  3. Cloud extension: Moving a workload to AWS, Azure, or Google Cloud does not remove the need for private networks. A site VPN securely connects the on-premises LAN to the cloud VPC without exposing services to the public internet.
  4. Mergers and acquisitions: Newly merged companies usually run separate infrastructures until a full migration is completed. A temporary site VPN allows data transfer and collaboration without waiting for a total redesign.
  5. Partner or supplier collaboration: Manufacturers work with external users, such as suppliers, who need limited access to design systems or inventory APIs. An extranet site-to-site tunnel provides that access while honoring strict access control rules.
  6. Regulatory compliance: Frameworks like HIPAA, PCI-DSS, and GDPR demand encryption in transit. A site-to-site VPN with IPsec tunnels proves that sensitive data stays protected between locations.
  7. Cost-effective alternative to dedicated lines: A private MPLS circuit offers predictable bandwidth performance but can cost thousands per month per site. A VPN connection over business broadband provides similar security at a fraction of the price.

In all of these situations, the technology delivers encrypted, predictable paths without forcing every employee or application to change its workflow. By tunneling at the network layer, it blends seamlessly with existing routing and security policies.

When to use a site-to-site VPN

Understanding how site-to-site VPNs work

Although implementation details vary by vendor, every site-to-site VPN follows the same basic lifecycle. The gateways discover one another, negotiate cryptographic parameters, and then encapsulate traffic so it can traverse untrusted networks securely. At a high level, the workflow looks like this:

  1. VPN gateway deployment: Each location has a device capable of handling VPN software and cryptography. That device might be a next-generation corporate firewall, a virtual router in an IaaS platform, or a small hardware appliance in a branch office.
  2. Tunnel establishment: Gateways exchange identification information and create a secure channel known as the Internet Key Exchange (IKE) phase. They agree on encryption algorithms, hash functions, and session timers.
  3. Authentication: The gateways verify each other with pre-shared keys or digital certificates. This step blocks rogue endpoints and preserves the trust network.
  4. Data encapsulation: When a device sends traffic to an IP address at a remote site, the gateway intercepts the packet, encrypts it, and wraps it inside another IP header. This wrapper carries the destination gateway’s public IP address.
  5. Secure transport: The encapsulated packet travels over the public internet. Anyone who captures it sees only scrambled bytes and metadata required for delivery.
  6. Decapsulation and forwarding: The destination gateway strips the outer header, decrypts the payload, and sends the original packet to the target system. To internal servers and workstations, the information looks like it came from the local network.

Modern gateways refresh keys regularly, detect link failures, and re-establish tunnels within seconds if a provider drops packets. Administrators can run multiple parallel tunnels for redundancy or load-sharing. The protocol suites have been hardened over decades, making a successful cryptographic attack extremely difficult. Because the entire process is automatic, users experience seamless, secure communication.

How site-to-site VPNs work

Different types of site-to-site VPNs

Site-to-site architectures fall into two broad categories based on who controls the networks on each side of the tunnel. Understanding the distinction helps you choose the right access controls and compliance model.

Intranet-based VPN

Intranet-based VPN

An intranet-based site-to-site VPN links multiple networks that belong to the same company. A global manufacturer, for example, may connect factories in three countries to its central enterprise resource planning (ERP) system. All traffic stays inside private networks controlled by corporate IT.

Extranet-based VPN

Extranet-based VPN

An extranet-based site-to-site VPN connects your corporate network to an outside organization. The VPN connection grants the partner access only to approved subnets or services. Careful network configuration, access control lists, and monitoring are vital to protect the rest of your infrastructure.

Many organizations also extend a site-to-site model to the cloud. Public IaaS vendors offer managed VPN gateways that form an encrypted tunnel between your office firewall and a virtual router in the cloud VPC. This approach keeps cloud workloads inside the corporate network without exposing SSH or RDP to the public internet.

Enterprises with dozens of branch office network sites sometimes deploy dynamic-multipoint VPN (DMVPN) or a similar hub-and-spoke architecture. With DMVPN, one branch can create a temporary VPN tunnel directly to another branch, trimming latency and offloading traffic from headquarters. Both options follow the same principles of data encryption, secure communication, and policy-driven access control, yet they scale better for distributed networks.

The benefits of site-to-site VPNs for secure network architecture

Deploying encrypted links between sites is about more than ticking a compliance box. It can simplify day-to-day operations, cut telecom costs, and give teams the freedom to place workloads where they make the most sense.

  • Encrypted connection on all paths: Data encryption stops eavesdropping on the public internet. Attackers see only the ciphertext, even if they capture packets.
  • Unified corporate network: Employees reach shared drives, intranets, and VoIP services regardless of their physical location.
  • Lower operational costs: Broadband links paired with IPsec tunnels cost less than MPLS lines and scale quickly as you add multiple offices.
  • Streamlined administration: IT manages a few VPN gateways rather than hundreds of individual users. Policies stay consistent across all connected networks.
  • Scalability: Add a new site by configuring a new gateway and updating routing tables. No need to change every endpoint device.
  • Business continuity: Redundant tunnels and diverse service provider links keep critical applications online even if one ISP fails.

Together, these advantages let businesses expand faster while protecting sensitive data. When paired with modern monitoring and automation tools, a site-to-site fabric becomes an integral part of a Zero Trust network architecture.

Advantages of site-to-site VPNs

What are the limitations of site-to-site VPNs?

Despite their strengths, site-to-site VPNs are not a universal remedy. You should weigh the following trade-offs before committing to large-scale deployment.

  • Reliance on internet connection quality: Packet loss or high latency on a public network affects the VPN tunnel’s performance.
  • Setup complexity: Choosing compatible encryption settings, resolving IP address overlaps, and updating firewall rules demand expertise.
  • Hardware overhead: Encryption and decryption consume CPU cycles. Older VPN devices may become a bottleneck as bandwidth grows.
  • Limited support for mobile staff: Site-to-site VPNs secure entire networks but do little for remote workers who operate from hotels or home offices. They still need secure remote access solutions such as a remote access VPN client.
  • Monitoring challenges: It can be hard to pinpoint whether a slow file transfer stems from the WAN link, the VPN tunnel, or the application itself.
  • Scaling to very large ecosystems: As the number of tunnels grows, manual configuration becomes error-prone. Mesh topologies may require advanced tools or a move toward Secure Access Service Edge.

Most of these pain points grow with the number of tunnels, so planning for scalability and investing in automated configuration tools early can prevent operational headaches later.

Limitations of site-to-site VPNs

How to set up a site-to-site VPN

Building a reliable site-to-site deployment is as much a project-management exercise as a technical one. The following steps outline a proven rollout sequence that minimizes downtime and surprises.

  1. Assess requirements: List the number of sites, expected bandwidth, security measures, and compliance needs.
  2. Select hardware or virtual gateways: Ensure each gateway supports IPsec tunnels, strong encryption, and route-based VPNs.
  3. Plan addressing: Assign unique private IP address ranges to avoid conflicts when two or more networks merge.
  4. Provision internet services: Order business-grade broadband or fiber with Service Level Agreements (SLAs). Consider redundant links for critical offices.
  5. Define policies: Decide which subnets can communicate, what access control lists apply, and whether to use static or dynamic routing.
  6. Configure each gateway: Input the peer IP address, pre-shared key or certificate, encryption algorithms, and tunnel lifetime.
  7. Establish routes: Use static routes, Border Gateway Protocol (BGP), or Open Shortest Path First (OSPF) so traffic finds the tunnel.
  8. Test the VPN tunnel: Ping hosts across the link, run throughput tests, and simulate failover scenarios.
  9. Document and monitor: Store configurations in a version-controlled repository. Enable logging, SNMP, or NetFlow to track performance.

For teams without deep network experience, a managed VPN provider or a cloud-based SASE platform offers quicker deployment and ongoing support. These services offload routine updates, patch management, and capacity planning to experts, freeing internal teams to focus on core business objectives.

They also provide unified dashboards that surface real-time metrics, alerting you to issues before users feel the impact. When evaluating vendors, look for transparent SLAs, integration with your identity provider, and detailed audit logs.

 

How NordLayer helps securely connect your sites

Traditional site-to-site VPN projects often take months, require expensive hardware, and depend on specialized teams. NordLayer simplifies this with a cloud-managed secure access solution that combines Site-to-Site VPN, Secure Remote Access, and advanced threat protection in one platform.

NordLayer simplifies secure site connections

Key advantages:

  • Fast deployment: Launch virtual VPN gateways in minutes—globally—and link locations using IPsec or NordLynx (WireGuard®) tunnels.
  • Zero Trust Network Access (ZTNA): Enforce granular, identity-based policies that restrict access to specific apps and services—even within connected sites.
  • Flexible infrastructure: NordLayer supports various connection models (e.g., hub-and-spoke, full mesh) and integrates with both on-prem and cloud environments.
  • Centralized visibility: Monitor network health, usage, and policies from one Control Panel.
  • Built-in threat protection: Strengthen site and remote access security with DNS filtering, malware detection, and network segmentation.
  • Site-to-Site VPN support: Securely connect branch offices, data centers, and cloud networks without physical infrastructure changes.

With NordLayer, organizations can connect distributed locations and remote teams under one scalable and secure architecture—without complexity.

 

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Sharing Hub: a single way to control all shared items

In today’s world of fast-paced business, tracking and managing shared credentials and other sensitive information across your organization can be overwhelming. To make things easier, we’re excited to introduce the Sharing Hub—a centralized dashboard that allows NordPass organization Owners to easily view and manage all shared items within their organization. It is designed to increase security, streamline operations, and put you in full control.

What is the Sharing Hub?

The Sharing Hub is a feature accessible only through the NordPass Admin Panel. As an organization Owner, you can use it to view and easily manage all individual items or folders shared within your organization, as well as those shared externally by your users.

This means two things: first, you gain full visibility into your company’s shared data—allowing you to see exactly who has access to what, the type of access they have, and who originally shared each item—all from one centralized dashboard. Second, from the same dashboard, you can manage access to shared credentials and folders in real time by granting, revoking, or modifying permissions for any shared item or folder. This way, you can ensure your employees share sensitive information like passwords, passkeys, or credit card details securely—without relying on unsafe channels—and you stay informed, ensuring everyone only has access to what they need.

Many existing password management solutions don’t provide full visibility and control over shared credentials from a single, centralized dashboard. Because of this, organizations often either rely on unsupervised peer-to-peer sharing or restrict credential sharing altogether, with the latter leading some employees to ignore established policies and use insecure channels like email or chat apps. Naturally, both scenarios pose a serious risk to the company’s cybersecurity. NordPass solves this problem with the Sharing Hub, giving administrators the tools they need to easily monitor and manage access to shared items.

How the Sharing Hub works

Access and availability

The Sharing Hub is exclusive to users with the Owner role within the organization. Owners can access this feature via the Admin Panel.

The Sharing Hub is available only with our Enterprise plan. The Sharing Hub is purpose-built to meet the needs of companies that require comprehensive oversight and management of access to their sensitive information.

Enabling and disabling the Sharing Hub

Organization Owners have the ability to turn the Sharing Hub on or off based on their needs within a company. This can be done through the Settings page in the Admin Panel. 

Centralized dashboard

Once enabled, the Sharing Hub becomes a centralized dashboard where organization Owners can track and manage all shared items within and outside the company. This includes items that have been shared internally, such as passwords, passkeys, credit cards, personal information, or secure notes. Thanks to the Sharing Hub, you will be able to see metadata for each item such as the title, type, owner, and the last edited date. This metadata provides valuable context without exposing the contents of the shared items.

It’s also worth noting that the Sharing Hub doesn’t give Owners direct access to the items themselves or a way to make changes to them. Instead, its main purpose is to offer improved visibility of items shared across the organization and make it easier to manage who has access to what. This means that, as an organization Owner, you can see who has access to certain items, who originally shared them, and what level of access they have—then adjust those permissions as needed.

Access management

Thanks to the Sharing Hub, organization Owners can easily grant, change, or remove access to shared items or folders for anyone in the organization. In other words, you can give someone access whenever it’s needed, limit what they can do with it, or remove their access entirely if it’s no longer necessary.

To make things clearer, here are some key features you get with the Sharing Hub:

  • Add/remove users and groups to/ from shared folders.

  • Add/remove users to/from specific shared items.

  • Adjust access levels like view, edit, autofill, or share for both items and folders.

  • Transfer ownership of shared items or folders.

  • Share folders with groups even if the organization Owner isn’t part of that folder.

With all this centralized control, organization Owners can stay on top of access management, reduce the risk of human error, and enforce strong security policies across the organization.

Filtering and sorting options

Tracking a huge number of shared items can be tricky. To simplify that process, the Sharing Hub includes filtering and sorting features that are designed to help Owners track the data efficiently.

  • Filtering by item type: Owners can filter items by their type, for example, passwords, secure notes, or shared folders. 

  • Filtering by user or group: Owners can select a specific user or group to see all items shared with them.

  • Sorting by members’ status: You can sort members based on their status: Active, Inactive, or External.

  • Sorting by title: Owners can sort items by title and organize items alphabetically, making it easier to locate specific items by name.

  • Sorting by last edited date: Owners can sort items by last edited date, which can greatly help in identifying recent changes or updates.

Access details and ownership information

The Sharing Hub provides detailed information about who has access to each shared item and their specific permission levels. Owners can see:

  • Active users: Users that currently have access to the item, along with their permission levels.

  • Inactive users: Users who have been deactivated but may still have residual access to items.

  • Pending shares: There are invitations that have been sent to users but not yet accepted. Pending shares indicate that the item is in the process of being shared, but access has not been established.

  • External shares: Items created by organization users and shared externally are marked with a special icon and labeled “External.” This visibility helps owners monitor data that is shared outside the organization, which could pose additional security risks.

To further enhance usability, the Sharing Hub also includes a search function that allows owners to search for items by their title. This is quite useful when the owner wants to quickly identify certain items without needing to scan through long lists or apply multiple filters. The search tool will ease the process of finding items and save time.

How can the Sharing Hub help your organization?

The Sharing Hub can help companies enhance their security and operational efficiency by offering centralized control of all shared items and folders. With this feature, organizations can more effectively prevent unauthorized access attempts, thoroughly audit all shared credentials and access levels from a single dashboard, and respond quickly to potential misconfigurations or cyber threats. In other words, the Sharing Hub helps ensure employees share credentials securely—without relying on insecure channels like email or chat apps—while giving admins the oversight and control needed to keep credential sharing safe and appropriate.

With the introduction of the Sharing Hub, NordPass meets the current needs and future demands of organizations needing more control and compliance capabilities. This makes NordPass stand out in the market, where security and transparency come first.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to manage passkeys for your Google Account

Passkeys are digital keys that combine cryptography and biometrics to create a more secure and convenient way to authenticate online identity. Instead of remembering and typing a password, you can use a fingerprint reader or Face ID to verify your identity and gain access to your online accounts.

 

What are Google’s requirements for passkeys to work?

To use passkeys for your Google Account, your authentication device must meet the following requirements:

  • An Android device that runs at least Android 9.

  • An iOS device that runs at least iOS 17.

  • A macOS device that runs at least Ventura.

  • A Windows computer that runs at least Windows 10.

  • If you use a hardware key for passkey authentication, check whether it supports the FIDO2 protocol.

  • If you use NordPass for passkey management, make sure you have the app or extension installed on your device.

 

How to set up a passkey for your personal Google Account

Google Account settings follow a similar layout on different devices, so you can follow the setup instructions to your convenience:

  1. In your Google Account settings, select the “Security” tab.

  2. Under “How you sign in to Google,” select “Passkeys and security keys.” You may be asked to verify your identity.

  3. Select “Use passkeys” to switch on passkey authentication. Then, select “Create a passkey.” You will be prompted to unlock your device.

  4. That’s it! You can now use a passkey to access your Google Account.

If you use your Google Account on multiple devices, you can set up unique passkeys for each one.

In the same Google Security settings, you can choose to use passkeys as your primary login method:

  1. Under “How you sign in to Google,” select “Skip password when possible.”

  2. Toggle on “Skip password when possible” and return to settings.

 

How to set up passkeys for Google Workspace

If your organization uses Google Workspace, you may be able to set up a passkey as the primary or secondary authentication method. First, your organization administrator has to switch on passwordless authentication for all Workspace accounts.

For admins:

  1. Log in to your Google Workspace account.

  2. In the Admin Panel, go to the “Security” tab.

  3. Under “Authentication,” select “Passwordless.”

  4. Select “Skip passwords.” For more granular controls, you can adjust this setting for specific departments in your organization.

  5. Optionally, check the “Allow users to skip their password and authenticate with a passkey” box to make passkeys the primary authentication method.

  6. Select “Save.” All users in your organization will now be able to set up a passkey. If you completed step 5, the passkey set up will be mandatory.

For end users:

  1. In your Google Account settings, select the “Security” tab.

  2. Under “How you sign in to Google,” select “Passkeys and security keys.” You may be required to enter your account password to proceed.

  3. Select “Use passkeys.” Then, select “Create a passkey.”

  4. You will be prompted to unlock your device to create the passkey.

  5. You can now use a passkey as an authentication method.

Depending on your organization’s settings, the passkey will work either as a primary or secondary authentication step. If you use more than one device to access Google Workspace, you can create unique passkeys for each one.

 

How to save and manage passkeys for your Google Account in NordPass

Having a Google Account passkey tied to your device can pose some challenges. If you suddenly lose access to that device, you won’t be able to use the passkey to log in to your account. While you can resort to alternative login methods like entering your account password, a simpler solution is creating a passkey with a third-party provider like NordPass.

 

Saving, logging in, and managing your Google Account passkey in NordPass

To set up a passkey for your Google Account, you need to use the Nordpass browser extension.

  1. Log in to your NordPass account to keep it running in the background.

  2. In your Google Account settings, select the “Security” tab.

  3. Under “How you sign in to Google,” select “Passkeys and security keys.”

  4. Click “Use passkeys” to switch on passkey authentication.

  5. Click “Create a passkey.” You may be prompted to enter your account password.

  6. You will see a NordPass pop-up prompting you to create a passkey. Add a title to the passkey and select “Create.”

  7. In the Google Account screen, click “Done.”

That’s it! You’ve created a Google Account passkey with NordPass. Thanks to synchronization, you will be able to use it to log in to Google on any device that has NordPass installed.

To manage your passkey, go to your NordPass vault. In the “Passkeys” tab, locate your Google Account passkey. Click the three dots on the right side of this passkey and select “Edit.” You can add extra information using custom fields.

If you want to delete your NordPass passkey, you can do so in the Google Account security settings. Alternatively, you can switch off passkeys as the primary authentication method, as detailed in the instructions above.

  1. In the Security settings, select “Passkeys and security keys.”

  2. You will see a list of passkeys connected to your Google Account. Select the “X” next to the NordPass passkey.

  3. Confirm your selection. If you want to add a NordPass passkey to your Google Account in the future, follow the previous instructions.

Note that disconnecting NordPass from your Google Account passkey options doesn’t automatically remove the passkey from your vault. To remove it, click the three dots on the right side of the passkey in your vault and select “Move to trash.” 

 

Using Google to sign in to your Nord Account or Nord Business Account

It’s not recommended to store both your Google account password and passkey in NordPass if you use Google as an authentication service to sign in to NordPass. If you are using Google single sign-on (SSO), you need to log in to your Google account first before unlocking NordPass. For this reason, you should not depend solely on NordPass for accessing your Google account.

However, you can still use passkeys to access your Google account. There are two workarounds to use passkeys for the Google account used to log in to NordPass:

Google offers passkey authentication as an alternative to passwords, which means that you can use both a passkey and a password to log in to your Google account. A password can be used when signing in to NordPass, while a passkey stored in NordPass can be used to log in to your Google account in other cases.

Alternatively, you can create multiple passkeys for your Google account and use the one not provided by NordPass to log in to your NordPass account. Another passkey, provided by NordPass, can be used to log in to your Google account whenever it’s needed.

 

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Can Slack admins read your DMs?

If you use Slack for work, chances are you’ve sent a message or two that you hoped only your teammate would get to see. It’s all right, we’ve all done it—expecting a bit of privacy in what feels like a one-on-one conversation. But is Slack privacy even a thing? Are your DMs just between you and the person you’re chatting with? Let’s find out.

Can your boss see your Slack messages?

It might not be what you want to hear, but yes—your manager could potentially read your private Slack messages. That said, it’s not as simple as them just opening up your chat history. Whether they can access your messages depends on the Slack plan your company is on, its Slack workspace settings, and the established internal privacy policies.

In other words, no one can just casually peek into your DMs. Your employer would either need your permission or have to go through a formal process—usually by submitting a request to Slack and providing a valid reason, like a legal or compliance investigation. So, they’d only be able to export messages from your private channels and DMs if Slack approved their request.

Should that ever happen, don’t bother editing or deleting your DMs—it won’t make any difference. Slack stores all the original versions of your messages on its servers. So, once you send something, it’s technically there for good.

Also worth noting: anything you post on public channels is automatically visible to everyone in the Slack workspace—no special permissions needed.

So, can Slack admins read user DMs?

As you can probably guess, the answer is still a “yes”—but with a few caveats.

Slack admins in your company are responsible for things like access permissions, legal compliance, and integrations. Basically, they’re the ones running the Slack show. This means that, in some situations, they can technically have access to your direct messages in Slack. But here’s the key part: they can’t do it by default. There are data privacy rules and Slack policies in place to prevent casual snooping. Access to private messages only happens under specific circumstances.

If your company uses Slack’s Enterprise Grid or Business+ plan, some admins—usually people working in IT, compliance, or HR—can be given the option to export data from Slack, including all private messages. It’s a feature mostly meant for large organizations that need to stay on top of compliance and legal requirements. But for this to happen, admins have to put in a request directly to Slack—and Slack won’t approve it unless they’ve got a really solid legal or compliance reason.

On Pro and Free plans, things are a lot more limited. Admins can only export messages from public channels. That said, in the case of a serious breach or legal investigation, even on these plans, a company can submit a formal request to Slack for access to private data. And if the situation is serious enough, Slack will likely grant it.

So, are your Slack messages private? Technically, yes—at least until something happens that prompts an investigation. If that day comes, Slack admins could gain access to your messages so they can be reviewed.

Types of data that can be exported from Slack

With all this talk about who can download what on which Slack plan, it’s totally fair if you’re feeling a bit dizzy and wondering what it means for the privacy of your messages. To help clear things up, check out the table below—it lays out exactly what kind of data admins can access, based on the company’s Slack plan.

 FreeProBusiness+Enterprise Grid
Exporting messages from public channelsYesYesYesyes
Exporting messages from public channels, private channels, and direct messages*  YesYes
Exporting messages by conversation type or member   Yes
Exporting a detailed list of channels*  YesYes
Export Slack data for a single user*   Yes

*Workspace owners and organization owners need to submit a request to enable these types of exports.

So if you’re still wondering, “Can Slack admins see private channels?”—the short answer is “technically, yes.” However, their access depends on which Slack plan the company is on, and whether Slack approves their request to check your private messages.

Is it similar with tools like Microsoft Teams?

Yes, very much so. Just like with Slack, your employer can get access to your messages on Microsoft Teams—provided they’re on the right subscription plan. The only difference (though it might feel like a big one) is that with MS Teams, admins do NOT need Microsoft’s approval to view private messages within the organization.

So, if your company is on the E3 or E5 Office 365 Enterprise plan, your admins can use features such as eDiscovery to search for and export data like:

  • One-on-one, group, and meeting chats

  • Private channel messages

  • Meeting chat logs

  • Recorded meetings and transcripts

  • Files that were shared as attachments

That said, it’s probably not like someone is sitting there reading your messages all day. These data monitoring tools are mainly in place for security, compliance, and legal reasons—for example, if there’s a data breach. In day-to-day operations, your messages are most likely just stored safely in the background.

But if you’re specifically asking: “Can Microsoft Teams be monitored by my boss?”, the answer is: “Yes, it sure can be.”

How to act responsibly on Slack

Since Slack is meant for work-related communication, it’s probably not the best place to overshare or drop sensitive info without a second thought. Here are a few handy tips to help you stay clear, professional, and safe while chatting with your team—without putting yourself (or anyone else) in a tough spot.

Be respectful—no matter who you’re chatting with

Everyone in your organization deserves to be treated with kindness and respect. As part of the team, you must always communicate in a professional manner—whether you are chatting in person or online. If someone’s giving you trouble, it’s best to talk to your supervisor about the situation, without letting your emotions take over and writing something on Slack that could negatively affect how others perceive you.

Be mindful about sharing personal stories

It’s perfectly normal for people to form friendships at the office—after all, many—if not most—of us spend more time with our coworkers than with our friends outside of work. That said, it doesn’t mean you should treat Slack like your personal messaging app and use it to have casual, buddy-buddy conversations with your teammates. Keep in mind you’re still at work, and some things are better saved for when you’re hanging out with the team outside of work hours.

Avoid sharing confidential business information

What’s really important is that you use Slack for things like collaborating with your team on your daily tasks, scheduling meetings, and sharing updates on marketing campaigns. This is to say that you should never put sensitive data—like client information, company secrets (such as proprietary designs), passwords to business accounts, or credit card details—in a post or message on Slack. If you need to share something sensitive, like corporate credentials or credit card information, it’s better to use a tool like NordPass, which keeps everything encrypted. And if you’re unsure about what’s safe to share on Slack, it’s a good idea to check with your IT department for guidance.

Stay informed about Slack’s privacy settings

Remember that your employer could potentially access your private messages and channels at any time. Right now, your messages are usually only reviewed by admins if there’s a serious investigation, like checking if you’ve crossed any lines or if your actions contributed to a legal issue or data breach. But these rules could change, so it’s a good idea to stay on top of any updates to your organization’s Slack privacy policy in the future.

Bottom line

If your company uses Slack, your employer might be able to see your messages in private chats and channels—but it depends on your company’s Slack plan and whether Slack agrees that your boss has a good reason to see your DMs.

That said, it’s always a good idea to keep things professional in your Slack messages and avoid sharing sensitive information like customer data or corporate passwords. If you do need to share business credentials with your teammate, make sure to do it using a secure password manager like NordPass to keep everything safe and sound.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×